The present disclosure generally relates to user account authentication and, in particular, to selecting an authentication process.
Client devices (e.g., a mobile phone, tablet, or desktop computer) are configured to store tokens that allow users or user accounts to be authenticated by a service without the user having to provide login credentials. More specifically, the client device may transmit a token corresponding to a particular service to an identity server for that service. The identity server uses the token to determine whether the user is authenticated and, if the user is authenticated, allows the user access to resources or service provided by the service. In some cases, several tokens may be stored on a client device. Furthermore, one token may be used to authenticate several user accounts or be used to authorize one user account for several services.
However, some tokens that are used for one or more user accounts do not expire. Accordingly, anyone with possession of a user's device may use the tokens to authenticate the user's accounts and access services or resources that are reserved to the user. For example, if a user's mobile device is lost or stolen, anybody picking up the mobile device can be authenticated as the user to an email service and access the user's email. Other sensitive information or services may similarly be accessed.